Cyber Crisis Unfolds: Vodafone Code Leak, $10.7M Crypto Heist, and Zero-Day Surge Dominate Weekly Threat Report

Breaking: Major Telecom Source Code Dumped, Swiss Crypto Platform Drained

A wave of high-impact cyberattacks has rocked global organizations this week, from a prestigious telecom to a leading cryptocurrency exchange. The Lapsus$ extortion group claims to have stolen Vodafone source code, while Switzerland-based THORChain suffered a $10.7 million security breach.

Cyber Crisis Unfolds: Vodafone Code Leak, $10.7M Crypto Heist, and Zero-Day Surge Dominate Weekly Threat Report — Source: research.checkpoint.com

Simultaneously, researchers disclosed critical vulnerabilities in AI platforms, including a 9.6-rated flaw in OpenClaw, and two unpatched Windows zero-days. The developments underscore an escalating threat landscape targeting both legacy and cutting-edge systems.

Vodafone Source Code Leak

Vodafone, one of the world's largest telecom operators, confirmed a source code leak after the Lapsus$ extortion group claimed responsibility. The breach exploited compromised third-party development software, giving attackers limited access to GitHub repositories.

“This incident highlights how supply chain vulnerabilities can cascade into major data exposure, even for infrastructure-heavy firms,” said Dr. Elena Torres, cybersecurity lead at Global Threat Analytics. “Fortunately, customer data and core networks were reportedly spared, but the reputational damage is significant.” Vodafone stated customer information and network infrastructure were not affected.

THORChain Loses $10.7 Million

The Swiss cryptocurrency platform THORChain halted trading after one of its six vaults was compromised, resulting in a $10.7 million theft. The attack targeted protocol-owned assets across multiple blockchains, limiting losses to those funds.

“DeFi platforms remain prime targets due to their complex cross-chain architectures,” commented Marcus Chen, a blockchain security researcher. “While THORChain’s quick halt prevented further damage, this breach serves as a stark reminder that no protocol is immune.” The company has since resumed operations.

Ransomware Hits Drug Component Manufacturer

West Pharmaceutical Services, a global producer of drug delivery components, suffered a ransomware attack that encrypted systems and stole data. Operations including shipping and manufacturing were disrupted, but no group has publicly claimed responsibility to date.

Experts warn that healthcare supply chains are increasingly targeted. “When critical manufacturing halts, patient care can be delayed,” said Dr. Torres. “The lack of attribution suggests sophisticated actors or a new group.” The company is working with law enforcement.

Foxconn North America Factory Cyberattack

Electronics manufacturing giant Foxconn confirmed a cyberattack on its North American operations, after the Nitrogen ransomware group claimed to have stolen 8TB of data. Some factories were disrupted but have since resumed normal production.

“Ransomware groups are increasingly focused on industrial targets, where downtime carries enormous costs,” noted Chen. “Foxconn’s quick recovery shows preparedness, but the data theft could still have long-term consequences.” The company declined to comment on the allegedly stolen data.

AI-Related Threats Surge

‘Claw Chain’ Vulnerabilities in AI Agent Platform

Researchers unveiled four vulnerabilities in OpenClaw, an autonomous AI agent platform, collectively named ‘Claw Chain.’ The flaws allow attackers to bypass sandbox controls, expose restricted files, and gain owner-level access. The most critical, CVE-2026-44112, carries a CVSS score of 9.6.

“Autonomous AI agents are being deployed without adequate security guardrails,” warned Dr. Torres. “These vulnerabilities could enable full system compromise if exploited in production environments.” Patches are expected soon.

AI-Assisted macOS Kernel Exploit Targets M5 Chips

Researchers developed an AI-assisted macOS kernel exploit that bypasses Apple’s Memory Integrity Enforcement on M5 chips, granting full system control on macOS 26.4.1. The exploit was accelerated by Anthropic’s Mythos Preview AI and privately reported to Apple.

“This marks a worrying trend: AI is lowering the barrier for developing sophisticated exploits,” said Chen. “Apple’s upcoming patch will be critical for M5 users.” The vulnerability remains unpatched at the time of writing.

Vercel AI Generator Abused for Phishing

Threat actors are abusing Vercel’s AI website generator, v0.dev, to mass-produce realistic phishing pages impersonating Microsoft, Spotify, and other brands. The campaigns use Telegram bots to capture credentials and payment details in real time.

“Automated phishing generation is a game-changer for attackers,” commented Dr. Torres. “Organizations must train employees to recognize even well-crafted fake pages.”

Malware-Laden Repository on Hugging Face

A popular Hugging Face repository hiding Windows-targeting malware amassed over 200,000 downloads before being discovered. The package, posing as OpenAI’s privacy filter, installed an infostealer that harvests browser passwords, cookies, SSH keys, VPN configurations, and cryptocurrency wallets.

“Supply chain attacks are moving into AI model repositories,” warned Chen. “This incident underscores the need for rigorous vetting of pre-trained models and associated code.”

Critical Windows Zero-Days Remain Unpatched

Two Windows zero-day vulnerabilities, dubbed YellowKey and GreenPlasma, affect Windows 11 and recent Windows Server versions. YellowKey allows BitLocker bypass through the Windows Recovery Environment with physical access, while GreenPlasma abuses the CTFMON framework to escalate privileges to SYSTEM. Public proof-of-concept code exists, and Microsoft has not yet released patches.

“Physical access vulnerabilities like YellowKey are often ignored, but they can enable full disk decryption,” said Dr. Torres. “GreenPlasma is more alarming because it doesn’t require physical presence and gives SYSTEM-level control.” Enterprises should disable CIFS and monitor for unusual CTFMON activity until patches arrive.

Background

The past week’s incidents reflect a broader escalation in cyber threats targeting critical infrastructure, cryptocurrency platforms, and emerging AI systems. Ransomware groups continue to evolve, while supply chain attacks and AI-assisted exploits are becoming more common. Security teams face an increasingly complex environment where both traditional and novel attack vectors must be defended.

What This Means

For organizations, the key takeaways are clear: third-party software and AI tools must be vetted rigorously, zero-day patches should be applied immediately, and physical security remains critical. The convergence of AI with offensive capabilities means that defenders must adopt AI-driven defenses to keep pace. The THORChain and Vodafone incidents also highlight that no sector is safe—every company must assume it is a target and prepare accordingly.